Secure Route Discovery Node and Policing Mechanism

ABSTRACT

A computer implemented method and computer program product for obtaining a secure route. A trusted host sets a node security association for a trusted host. The trusted host receives, at the trusted host, a client communication request directed to a destination host. The trusted host builds a secure route query comprising a trusted host address, a destination host address, and at least one security level, to form at least one secure route. The trusted host sends packets from the trusted host to the destination host based on the at least one secure route. The packets are responsive to the client communication request, and the packets each have a security label that matches the security level.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to a computer implemented methodand computer program product for network security. More specifically,the present invention relates to segregating network traffic to traverseonly secure routers that have clearance levels at least has high as theclassification of the network traffic itself.

2. Description of the Related Art

Government data processing systems are routinely used to processinformation under a security scheme that governs the circulation ofinformation within and among people, secure areas or places, andmachines. A typical security scheme stratifies security levels as being,for example, unclassified, classified, secret, and top secret. Asecurity level is a generic term for either a clearance level or aclassification level.

A clearance level indicates the level of trust given to a person,computer node, or place. The clearance level indicates the highest levelof classified information to be stored or handled by the person deviceor location. A classification level indicates the level of sensitivityassociated with some information, such as in a document or a computerfile. The level is supposed to indicate the degree of damage the countrycould suffer if the information is disclosed to an enemy. A high level,such as “top secret” is information that potentially could seriouslydamage a country. Though this label is somewhat subjective, informationlabeled “top secret” has a higher security level than “secret”.Similarly, “secret” has a higher security level than “classified”. Inaddition, “classified” has a higher security level than “unclassified”.Similar security levels may exist in countries other than the UnitedStates of America, and may have more or less labels. However, thesecurity scheme is organized, the people, places, and equipment withhigher clearance levels are permitted to access information classifiedat the corresponding classification level or lower. Thus, a “top secret”person may access information in the levels below that label, forexample “classified”.

Access by machines or people of information classified above theclearance level of the machine or person is placing such information atrisk in entities that are not trained, equipped, or trusted sufficientlyto assure continued security of such information. Accordingly,governments seek ways to detect when such occurrences happen to dataowned and controlled by the government. In essence, part of the job of agovernment is to locate leaks or potential leaks and issue warnings,legal action, training, etc., to abate further dissemination ofinformation in improper ways.

FIG. 3 is a model of data regulation in a stratified securityclassification system. In a network of computers, a government mayregulate the flow of data according to the model shown in FIG. 3. Eachcomputer may also be called a node, host, or router. FIG. 3 shows howinformation, such as documents, flows with respect to a hypotheticalprocess. “Cat” document 301 is classified “top secret” 305; “dog”document 311 is classified “secret”; and “bird” document 321 isclassified “unclassified” 325. In relation to these documents, a wordprocessor process 331 has varying levels of access. Word processorprocess 331 is a client executing on a node. A client is a process thatexecutes on a node.

Word processor process 331 is cleared to a “secret” security level. Alabel “secret” 335 is set to correspond with the process in the node.Accordingly, word processor process 331 can read from the unclassified“bird” document 325. In addition, word processor process 331 can bothread 353 and write 355 to secret “dog” document 311. Importantly, it isundesirable, to the government who protects information, that wordprocessor process 331 reads documents such as top secret labeled “cat”document 301. In other words, the process is forbidden from “reading up”a classification level from the clearance level associated with theprocess. Reading up means that a process, person, or device has obtainedor read data that is above the clearance level of the process, person,or device. A government can take steps to stop reading up, though it mayhave to contend with reading up occurring, despite the government'sefforts.

The above conditions are addressed in the following detaileddescription.

SUMMARY OF THE INVENTION

The present invention provides a computer implemented method andcomputer program product for obtaining a secure route. A trusted hostsets a node security association for a trusted host. The trusted hostreceives, at the trusted host, a client communication request directedto a destination host. The trusted host builds a secure route querycomprising a trusted host address, a destination host address, and atleast one security level, to form at least one secure route. The trustedhost sends packets from the trusted host to the destination host basedon the at least one secure route. The packets are responsive to theclient communication request, and the packets each have a security labelthat matches the security level.

BRIEF DESCRIPTION OF THE DRAWINGS

The novel features believed characteristic of the invention are setforth in the appended claims. The invention itself, however, as well asa preferred mode of use, further objectives and advantages thereof, willbest be understood by reference to the following detailed description ofan illustrative embodiment when read in conjunction with theaccompanying drawings, wherein:

FIG. 1 is a data processing system in accordance with an illustrativeembodiment of the invention;

FIG. 2 shows a heterogeneous network of multilevel security routers andnon-multilevel security routers;

FIG. 3 is a model of data regulation in a stratified securityclassification system;

FIG. 4 is a secure route query in accordance with an illustrativeembodiment of the invention;

FIG. 5 is an example secure route cache in accordance with anillustrative embodiment of the invention;

FIG. 6 is a flowchart of steps to configure a secure route discoverynode and respond to a secure route query in accordance with anillustrative embodiment of the invention;

FIG. 7 is a flowchart of steps performed at a secure router inaccordance with an illustrative embodiment of the invention; and

FIG. 8 is a flowchart of steps for a trusted host to take to set up asecure route in accordance with an illustrative embodiment of theinvention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

With reference now to the figures and in particular with reference toFIG. 1, a block diagram of a data processing system is shown in whichaspects of an illustrative embodiment may be implemented. Dataprocessing system 100 is an example of a computer, in which code orinstructions implementing the processes of the present invention may belocated. In the depicted example, data processing system 100 employs ahub architecture including a north bridge and memory controller hub(NB/MCH) 102 and a south bridge and input/output (I/O) controller hub(SB/ICH) 104. Processor 106, main memory 108, and graphics processor 110connect to north bridge and memory controller hub 102. Graphicsprocessor 110 may connect to the NB/MCH through an accelerated graphicsport (AGP), for example.

In the depicted example, local area network (LAN) adapter 112 connectsto south bridge and I/O controller hub 104 and audio adapter 116,keyboard and mouse adapter 120, modem 122, read only memory (ROM) 124,hard disk drive (HDD) 126, CD-ROM drive 130, universal serial bus (USB)ports and other communications ports 132, and PCI/PCIe devices 134connect to south bridge and I/O controller hub 104 through bus 138 andbus 140. PCI/PCIe devices may include, for example, Ethernet adapters,add-in cards, and PC cards for notebook computers. PCI uses a card buscontroller, while PCIe does not. ROM 124 may be, for example, a flashbinary input/output system (BIOS). Hard disk drive 126 and CD-ROM drive130 may use, for example, an integrated drive electronics (IDE) orserial advanced technology attachment (SATA) interface. A super I/O(SIO) device 136 may be connected to south bridge and I/O controller hub104.

An operating system runs on processor 106, and coordinates and providescontrol of various components within data processing system 100 inFIG. 1. The operating system may be a commercially available operatingsystem such as Microsoft® Windows® XP. Microsoft and Windows aretrademarks of Microsoft Corporation in the United States, othercountries, or both. An object oriented programming system, such as theJava™ programming system, may run in conjunction with the operatingsystem and provides calls to the operating system from Java™ programs orapplications executing on data processing system 100. Java™ is atrademark of Sun Microsystems, Inc. in the United States, othercountries, or both.

Instructions for the operating system, the object-oriented programmingsystem, and applications or programs are located on storage devices,such as hard disk drive 126, and may be loaded into main memory 108 forexecution by processor 106. The processes of the present invention canbe performed by processor 106 using computer implemented instructions,which may be located in a memory such as, for example, main memory 108,read only memory 124, or in one or more peripheral devices.

Those of ordinary skill in the art will appreciate that the hardware inFIG. 1 may vary depending on the implementation. Other internal hardwareor peripheral devices, such as flash memory, equivalent non-volatilememory, and the like, may be used in addition to or in place of thehardware depicted in FIG. 1. In addition, the processes of theillustrative embodiments may be applied to a multiprocessor dataprocessing system.

In some illustrative examples, data processing system 100 may be apersonal digital assistant (PDA), which is configured with flash memoryto provide non-volatile memory for storing operating system files and/oruser-generated data. A bus system may be comprised of one or more buses,such as a system bus, an I/O bus and a PCI bus. Of course, the bussystem may be implemented using any type of communications fabric orarchitecture that provides for a transfer of data between differentcomponents or devices attached to the fabric or architecture. Acommunication unit may include one or more devices used to transmit andreceive data, such as a modem or a network adapter. A memory may be, forexample, main memory 108 or a cache such as found in north bridge andmemory controller hub 102. A processing unit may include one or moreprocessors or CPUs. The depicted example in FIG. 1 is not meant to implyarchitectural limitations. For example, data processing system 100 alsomay be a tablet computer, laptop computer, or telephone device inaddition to taking the form of a PDA.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the invention. Asused herein, the singular forms “a”, “an”, and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”and/or “comprising,” when used in this specification, specify thepresence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof.

The corresponding structures, materials, acts, and equivalents of allmeans or step plus function elements in the claims below are intended toinclude any structure, material, or act for performing the function incombination with other claimed elements as specifically claimed. Thedescription of the present invention has been presented for purposes ofillustration and description, but is not intended to be exhaustive orlimited to the invention in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill in the artwithout departing from the scope and spirit of the invention. Theembodiment was chosen and described in order to best explain theprinciples of the invention and the practical application, and to enableothers of ordinary skill in the art to understand the invention forvarious embodiments with various modifications as are suited to theparticular use contemplated.

As will be appreciated by one skilled in the art, the present inventionmay be embodied as a system, method, or computer program product.Accordingly, the present invention may take the form of an entirelyhardware embodiment, an entirely software embodiment (includingfirmware, resident software, micro-code, etc.) or an embodimentcombining software and hardware aspects that may all generally bereferred to herein as a “circuit,” “module”, or “system.” Furthermore,the present invention may take the form of a computer program productembodied in any tangible medium of expression having computer usableprogram code embodied in the medium.

Any combination of one or more computer usable or computer readablemedium(s) may be utilized. The computer-usable or computer-readablemedium may be, for example but not limited to, an electronic, magnetic,optical, electromagnetic, infrared, or semiconductor system, apparatus,device, or propagation medium. More specific examples (a non-exhaustivelist) of the computer-readable medium would include the following: anelectrical connection having one or more wires, a portable computerdiskette, a hard disk, a random access memory (RAM), a read-only memory(ROM), an erasable programmable read-only memory (EPROM or Flashmemory), an optical fiber, a portable compact disc read-only memory(CDROM), an optical storage device, a transmission media such as thosesupporting the Internet or an intranet, or a magnetic storage device.Note that the computer-usable or computer-readable medium could even bepaper or another suitable medium upon which the program is printed, asthe program can be electronically captured, via, for instance, opticalscanning of the paper or other medium, then compiled, interpreted, orotherwise processed in a suitable manner, if necessary, and then storedin a computer memory. In the context of this document, a computer-usableor computer-readable medium may be any medium that can contain, store,communicate, propagate, or transport the program for use by or inconnection with the instruction execution system, apparatus, or device.The computer-usable medium may include a propagated data signal with thecomputer-usable program code embodied therewith, either in baseband oras part of a carrier wave. The computer usable program code may betransmitted using any appropriate medium, including, but not limited towireless, wireline, optical fiber cable, RF, etc.

Computer program code for carrying out operations of the presentinvention may be written in any combination of one or more programminglanguages, including an object oriented programming language such asJava, Smalltalk, C++ or the like and conventional procedural programminglanguages, such as the “C” programming language or similar programminglanguages. The program code may execute entirely on the user's computer,partly on the user's computer, as a stand-alone software package, partlyon the user's computer and partly on a remote computer or entirely onthe remote computer or server. In the latter scenario, the remotecomputer may be connected to the user's computer through any type ofnetwork, including a local area network (LAN) or a wide area network(WAN), or the connection may be made to an external computer (forexample, through the Internet using an Internet Service Provider).

The present invention is described below with reference to flowchartillustrations and/or block diagrams of methods, apparatus and computerprogram products according to embodiments of the invention. It will beunderstood that each block of the flowchart illustrations and/or blockdiagrams, and combinations of blocks in the flowchart illustrationsand/or block diagrams, can be implemented by computer programinstructions. These computer program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

These computer program instructions may also be stored in acomputer-readable medium that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablemedium produce an article of manufacture including instruction meanswhich implement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer orother programmable data processing apparatus to cause a series ofoperational steps to be performed on the computer or other programmableapparatus to produce a computer implemented process such that theinstructions which execute on the computer or other programmableapparatus provide processes for implementing the functions/actsspecified in the flowchart and/or block diagram block or blocks.

The aspects of the illustrative embodiments provide a computerimplemented method, data processing system, and computer program productfor establishing a secure path between a trusted host and a destinationhost, or at least indicating to a destination host that a secure routeis unknown to a secure route discovery node. In other words, in thesecond situation, there is no secure route available to the securediscovery node that will satisfy a classification level of datatargeting the destination host.

FIG. 2 shows a heterogeneous network of multilevel security routers andnon-multilevel security routers, in accordance with an illustrativeembodiment of the invention. A secure router is a router that has acorresponding clearance level set by an administrator who has authorityfrom a government. A secure router can be a multilevel security (MLS)router. A multilevel security router is a router that meets standardsset forth in RFC 1038, 1108 as well as and other standards thatgenerally describe internet security options, such as, Revised InternetProtocol Security Option (RIPSO) and Commercial Internet ProtocolSecurity Option (CIPSO). Conversely, the non-multilevel security(non-MLS) router does not take any responsive routing action based onany label, although it may drop a packet that carries a label. A trustedhost 201 is connected by a network in a manner that may permitunclassified data to pass over several intermediate routers or nodes.These routers include non-MLS router 1 203, MLS top secret router 2 205,and MLS secret router 3 207. MLS secret router 3 207 controls trafficentering and leaving a destination host. The destination host is atarget to which an initiator of communication, for example trusted host201, directs communication. In other words, a client communicationrequest (explained below with reference to FIG. 8) describes whichtrusted host is to be targeted for communication. The destination hostmay be trusted host 209. Both trusted host 201 and trusted host 209 have“secret” clearance levels associated with each of them. Each of trustedhost 201, non-MLS router 1 203, MLS top secret router 2 205, and MLSsecret router 3 207, trusted host 209, and secure route discovery node221 may be organized in the same manner as data processing system 100 ofFIG. 1. For purposes of the examples shown below, trusted host 201operates as a source, while trusted host 209 operates as a destinationfor an ad hoc communication. It is appreciated that the roles may bechanged in accordance with which trusted host initiates a communicationat a given time.

Network 200 is monitored and served by secure route discovery node 221.A secure route discovery node is a node that collects the networktopology information of a network. Accordingly, a secure route discoverynode may record to a database each router in the network topology and aclearance level. The database that stores each paring of a router andclearance level is a secure routes database controlled by the secureroute discovery node. Secure route discovery node 221 updates andqueries secure routes database 223 in response to activity on network200.

Activity on the network may appear in at least three different forms.First, the network may query the secure route discovery node bytransmitting to the secure route discovery node secure route query 251.Second, the network's routers may each transmit a multicast packet orpackets (not shown) in order to announce the connectivity or clearancelevel status of the sending router. Third, a secure router may collectand report anomalous packet sources. In other words, the secure routermay identify routers that send packets that reach a secure router havinga clearance level below the security label of such packets. A securitylabel is an indication of the classification level of informationtransmitted over a network. In addition, and in response to node secureroute queries, the secure route discovery node may respond with a secureroute discovery node response 253. Each of these communications oractivities are described further below.

FIG. 4 is a secure route query in accordance with an illustrativeembodiment of the invention. A secure route query may be built in atrusted host or be transported in one or more packets as a payload. Asecure route query is a message sent by a trusted host to a secure routediscovery node. A secure route query may have three forms of data,namely, a trusted host address, a destination host address, and asecurity level. In this example, secure route query 400 is depicted astrusted host address 401, destination host address 403, and securitylevel 405. A trusted host address is an address that, with respect tothe network, uniquely identifies the trusted host. A security level,within the secure route query, is the security level desired forcommunicating packets. The security level may be a level selected byclient, or may be a level that, by default, all applications use.

A secure route discovery node may respond to a security route query witha secure route. If the secure route is found and sent to the trustedhost, the trusted host may cache the route (along with other routes) ina manner to track the security level associated with the route. Thesecurity level associated with the route may be the lowest securitylevel of any security router along the route. The trusted host may storethe secure route to a secure route cache. A secure route cache is alow-latency recording device local to a trusted host. By ‘local to’ itis meant that the recording device is housed within a data processingsystem that is the trusted host, or is within a common structure havingsecurity features consistent with the clearance level of the trustedhost. The recording device can be, for example, main memory 108, harddisk drive 126, cache within processor 106, or any other device capableof storing data.

FIG. 5 is an example secure route cache in accordance with anillustrative embodiment of the invention. Secure route cache 500 caninclude cache time expiration 501. A cache time expiration is a timethat is set by an administrator to reset the cache by resuming anuntrusted and/or unverified state with respect to the particular path towhich the cache time expiration is associated. In the example of FIG. 5,the cache time expiration is 13:01 Aug. 19, 2009. The cache timeexpiration may include indications of time zone, daylight savingsstatus, and be expressed according to any calendar or epoch that is aconvention for marking time by the government. The secure route cachemay also include a destination host address 503, as well as zero or moreintermediate secure routers. In this case, the intermediate securerouters include secure router 3's address 503, and secure router 2'saddress 505, while the destination host address may reference trustedhost 209. In addition, the secure route cache may include security level509 assigned to the route. The cache time expiration, intermediaterouters, and security level may be added together or deleted togetherfrom the secure route cache. Multiple routes may be present in thesecure route cache. An intermediate router is a router located along aroute, but not at the endpoints of the route.

FIG. 6 is a flowchart of steps to configure a secure route discoverynode and respond to a secure route query in accordance with anillustrative embodiment of the invention. Initially, the secure routediscovery node may build a path between a trusted host and a destinationhost in a secure routes database (step 601). The trusted host may be,for example, trusted host 201, while the destination host may be trustedhost 209. In this arrangement, trusted host 201 may be a sourcedestination host. In other words, the trusted host plays the role of adata processing system that originates the communication. At differenttimes, either trusted host 201 or trusted host 209 may take the role ofthe source destination host. Any time that a trusted host originates acommunication, that trusted host is a source trusted host. Accordingly,a source trusted host is a trusted host, that with respect to acommunication, is the originating device for the communication inrelation to a network.

Step 601 may be performed, for example, by an administrator entering apath describing each host, secure router or destination host by a uniquedescriptor into a secure routes database, together with a security levelthat the path, as a whole is able to support. By being able to support,it is meant that the security level of packets may traverse nodes in thepath without the security level of the packets being above the clearancelevel of each node in the path. By being “above” it is meant that thefirst security level is one corresponding to more rigid and exclusivesecurity precautions and/or value than a second security levelcorresponding to a lighter and/or more relaxed security precautionand/or value.

It is appreciated, that other ways of building a path may be performedat step 601. For example, a secure route discovery node may receivemulticast packets originating from a secure router that describe thesecurity level and the next hop routers to which it may communicate. Thesecure route discovery node may then use the information from suchmulticast packets and build a topology image that it can use todetermine the secure routes between two given hosts and also thesecurity levels on these routes. This topology image allows the secureroute discovery node to learn about the available routers withoutsignificant direct involvement of an administrator.

Next, the secure route discovery node may receive a secure route query(step 603). The secure route query may be in the form, for example, ofsecure route query 400 of FIG. 4. Next, the secure route discovery nodemay look up a (secure) path according to criteria in the secure routequery (step 605). For example, the secure route discovery node mayreceive a secure route query comprising a trusted host addresscorresponding to trusted host 201 of FIG. 2, as well as a destinationhost address corresponding to trusted host 209 of FIG. 2. A destinationhost address is an address, which with respect to the network, uniquelyidentifies the destination host.

The secure route query may further include a security level, forexample, “secret”. In the example of FIG. 2, there are two paths fromtrusted host 201 to destination host. The first path is the path definedby trusted host 201, router 1, router 3, and destination host. Thesecond path is the path defined by trusted host 201, router 2, router 3,and destination host. Each path is paired to the security level of thelowest secure router along the path. The first path may correspond tosecurity level “confidential”, while the second path may correspond to“secret”. Each path, together with its corresponding security level, isstored to the secure routes database. Thus, a criteria to meet whenlooking up a path, in this example is that each router in the pathcorrespond to “secret” security level, otherwise, the route fails tomeet the criteria. The criteria can be met if the current route examinedby the secure route discovery node finds a path that has the samesecurity level or above as compared to the security level of the secureroute query. The criteria are one or more comparisons to the informationin the secure route query to data stored in the secure routes database.

Next, the secure route discovery node may determine whether criteria aremet. The criteria determination may influence which information thesecure route discovery node transmits to a source trusted host. In otherwords, the secure route discovery node determines if a path is found(step 607). This determination is affirmative when at least one path isfound. In which case, the secure route discovery node may transmit thepath or paths to the trusted host (step 611). Again, in the context ofthis example, trusted host 611 plays the role of source trusted host.The secure route discovery node can transmit the paths as a secure routediscovery node response. The secure route discovery node response caninclude each node along the path as well as the security levelcorresponding to the path, as looked up from the secure routes database.On the other hand, a negative determination may cause the secure routediscovery node to transmit an empty string to the trusted host (step609). In the case that the secure route discovery node performs step609, the secure route discovery node transmits the empty string as atleast a part of a secure route discovery node response. Processing mayterminate after steps 609 or 611. An empty string may be null datastored in a payload of a packet sent from the secure route discoverynode to the trusted host. As may be appreciated, the null data may beany suitable form of placeholder, for example, if a convention is tosend paths to the trusted host as data that specifies a number of hopsalong a path as an initial value to the path (with respect to step 611),then a number of hops equal to zero may indicate an empty string.

A simplified case of looking up the path can be finding a networksegment having one endpoint selected from a group consisting of trustedhost and destination host. Such a network segment, to meet the criteria,can have a clearance level at least as high as the classification levelof the secure route query such that the network segment and at least oneadditional network segments interconnect trusted host and destinationhost. Each additional network segment has endpoints each having aclearance level at least as high as the classification level of thesecure route query.

One way to fail to look up a secure path is to locate only inadequatepaths. An inadequate path is a path that corresponds to a clearancelevel below the security level of the secure route query. Such a path orpaths may be found by step 605 when only one or more inadequate pathsare found in response to receiving a secure route query.

Periodically, the secure route discovery node may receive multicastpackets from a secure routers, as described further below with respectto FIG. 7. Such multicast packets contain information by which thesecure route discovery node may obtain information concerning a securerouter's clearance level and neighboring nodes. Accordingly, the secureroute discovery node may populate its secure routes database with suchinformation. It is appreciated that, from time to time, an administratormay override information stored in the secure routes database.

FIG. 7 is a flowchart of steps performed at a secure router inaccordance with an illustrative embodiment of the invention. Initiallythe secure router may set a security level for the secure router and anaddress for the secure route discovery node (step 701). These stepspermit the secure router to later communicate with the secure routediscovery node and inform the secure route discovery node of thesecurity level of the secure router. The setting of the security levelmay be by way of a user interface used to elicit and obtain an entryfrom an authorized administrator the security level with which toassociate the secure router.

Next, the secure router may set a routing table (step 703). Next, thesecure router may transmit a multicast packet having the security leveland the neighbor routers (step 705). The neighbor routers can includeone or more neighbor secure routers. The neighbor secure router is arouter reached by a single hop by the secure router. It is appreciatedthat the payload of security level and neighbor routers may be dividedamong several packets, as an alternative to step 705. Next, the securerouter may receive a packet from a source address (step 707). The packetmay have a label for a classification level. As such, the secure routermay compare the packet to the security level of the secure router set atstep 701. Thus, the secure router determines whether the packetclassification level is above the secure router security level (step709).

A positive determination at step 709 can cause the security router totransmit the source address to the secure route discovery node (step721). A reason to report the source address in this manner is that itmay be helpful to identify the node corresponding to the source addressas a node that is ineffective at assuring packets dispatched from thenode traverse only secure routers having clearance levels at or abovethe classification level of the packets so dispatched. Accordingly, thesecure router may next drop the packet (step 723).

If, instead, the secure router makes a negative determination at step709, the secure router may transmit the packet according to a strictsource route internet protocol (step 711). Such a strict source routeinternet protocol can be established on the basis of a secure routedetermined by a trusted host in cooperation with a secure routediscovery node, explained further below. Next, after either step 711 orstep 723, the secure router may determine if the packet received at step707 is the last packet (step 713). A positive determination causes thesecure router to repeat step 707, and accordingly receive an additionalpacket. A negative determination at step 713 may cause termination.

FIG. 8 is a flowchart of steps for a trusted host to take to set up asecure route in accordance with an illustrative embodiment of theinvention. Initially, the trusted host sets a node security association(step 801). A node security association can be a default classificationlevel for packets transmitted from the trusted host. The node mayprovide a user interface, for which an authorized person acting asadministrator, may edit one or more configuration files to store thenode security association. It is appreciated that the configuration filemay be any form of data structure suitable for storing configurationinformation on the node, for example, a database, a flat file, or thelike. Accordingly, the configuration file may be stored wholly or inpart in storage, memory, cache or any other electronic device forreference by processes executing on the node. Next, the trusted host mayreceive a client communication request directed to a destination host(step 803). In the example of network 200, of FIG. 2, trusted host 209is the destination host by virtue of the communication request definingthe trusted host as a destination host. A client communication requestis a signal generated by a client or in response to a client where theclient requests that information be transmitted in packets to adestination host. Accordingly, the client communication request mayinclude, for example, a hypertext transport protocol that is directed toa destination host, as may be used by a browser. The clientcommunication request may be for file transport protocol packets, simplemail transport protocol packets, lightweight directory access protocolpackets, among others. The client communication request may specify asecurity classification. However, if the client communication requestdoes not specify a security level, the node security association may beused as the security level.

Next, the trusted host may determine if a secure route cache describesthe destination host (step 805). The step 805 may include matching aroute to the security level, where the route includes the destinationhost. If the security level associated with the route is not at or abovethe security level determined at step 803, a negative determination mayoccur at step 805.

Accordingly, steps 811 through 819 may permit the trusted host toacquire a secure route when no secure route is discoverable within thesecure route cache. The trusted host may transmit a secure route query(step 811). The step may be performed using the security leveldetermined at step 803. Next, the trusted host may receive a secureroute discovery node response (step 813). Next, the trusted host maydetermine if the secure route discovery node response is non-empty (step815). The secure route discovery node response may be formed asdescribed in relation to FIG. 6, above. Accordingly, a positive resultto step 815 may result in the trusted host storing a secure route to asecure route cache (step 817). Next, the trusted host may set a cachetime for the secure route (step 819). A typical cache time may be up to60 seconds, and can be set by a tunable setting. The cache time may beset in the manner described with respect to FIG. 5, above.Alternatively, a negative result to step 815 may result in the processterminating. In other words, a non-empty response at step 815 may thwartthe client from sending packets.

After setting a cache time at step 819, the trusted host may send apacket based on the secure route (step 821). The secure route may be asdetermined from the secure route cache, or as determined by other means,described below. In addition, for each packet sent, the trusted host mayset a strict source route option. Next, the trusted host may determinewhether more packets are available to send from the client to thedestination host (step 823). If not, processing may terminate. However,if so, the trusted host may resume at step 805. Step 805 determines ifthe secure route cache has a suitable route.

An alternate result to step 805 is to determine that the secure routecache describes a destination host. Accordingly, having made anaffirmative determination, the trusted host may form a secure routebased on the secure route cache (step 831). Processing continues at step821 described above.

The illustrative embodiments permit a government to establish a securepath between a trusted host and a destination host, or at leastindicating to a destination host that a secure route is unknown to asecure route discovery node. In addition, any secure paths so provided,may expire in a timescale that can make the trusted host responsive toad hoc revisions of the secure routes database, as might occur if asecure router becomes compromised and stripped of its associatedclearance level. One or more illustrative embodiments may detectimproperly routed packets, and respond accordingly.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

The invention can take the form of an entirely hardware embodiment, anentirely software embodiment or an embodiment containing both hardwareand software elements. In a preferred embodiment, the invention isimplemented in software, which includes but is not limited to firmware,resident software, microcode, etc.

Furthermore, the invention can take the form of a computer programproduct accessible from a computer-usable or computer-readable mediumproviding program code for use by or in connection with a computer orany instruction execution system. For the purposes of this description,a computer-usable or computer readable medium can be any tangibleapparatus that can contain, store, communicate, propagate, or transportthe program for use by or in connection with the instruction executionsystem, apparatus, or device.

The medium can be an electronic, magnetic, optical, electromagnetic,infrared, or semiconductor system (or apparatus or device) or apropagation medium. Examples of a computer-readable medium include asemiconductor or solid state memory, magnetic tape, a removable computerdiskette, a random access memory (RAM), a read-only memory (ROM), arigid magnetic disk and an optical disk. Current examples of opticaldisks include compact disk—read only memory (CD-ROM), compactdisk—read/write (CD-R/W) and DVD.

A data processing system suitable for storing and/or executing programcode will include at least one processor coupled directly or indirectlyto memory elements through a system bus. The memory elements can includelocal memory employed during actual execution of the program code, bulkstorage, and cache memories, which provide temporary storage of at leastsome program code in order to reduce the number of times code must beretrieved from bulk storage during execution.

Input/output or I/O devices (including but not limited to keyboards,displays, pointing devices, etc.) can be coupled to the system eitherdirectly or through intervening I/O controllers.

Network adapters may also be coupled to the system to enable the dataprocessing system to become coupled to other data processing systems orremote printers or storage devices through intervening private or publicnetworks. Modems, cable modem and Ethernet cards are just a few of thecurrently available types of network adapters.

The description of the present invention has been presented for purposesof illustration and description, and is not intended to be exhaustive orlimited to the invention in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill in the art. Theembodiment was chosen and described in order to best explain theprinciples of the invention, the practical application, and to enableothers of ordinary skill in the art to understand the invention forvarious embodiments with various modifications as are suited to theparticular use contemplated.

1. A computer implemented method for identifying a source router, thecomputer implemented method comprising: transmitting a multicast packet,wherein the multicast packets defines a security level and neighborsecure router for a secure router; receiving at least one packet abovethe security level associated with the secure router; and responsive toreceiving the at least one packet having a classification level abovethe security level, transmitting a source address of the at least onepacket to a secure route discovery node.
 2. The computer implementedmethod of claim 1, further comprising: setting an address of the secureroute discovery node; and wherein transmitting the source addresscomprises transmitting the source address to the address of the secureroute discovery node.
 3. The computer implemented method of claim 1,wherein the at least one packet conforms to multilevel securitystandard.
 4. The computer implemented method of claim 1, furthercomprising: responsive to receiving the at least one packet having aclassification level above the security level, dropping the at least onepacket.
 5. The computer implemented method of claim 1, furthercomprising: receiving at least one packet at or below the clearancelevel associated with the secure router; and transmitting the at leastone packet at or above the clearance level.
 6. The computer implementedmethod of claim 5, wherein transmitting the at least one packet is byusing a strict source route internet protocol.
 7. A computer implementedmethod for obtaining a secure route, the computer implemented methodcomprising: setting a node security association for a trusted host;receiving, at the trusted host, a client communication request directedto a destination host; building a secure route query comprising atrusted host address, a destination host address, and at least onesecurity level, to form at least one secure route; and sending packetsfrom the trusted host to the destination host based on the at least onesecure route, wherein the packets are responsive to the clientcommunication request, and the packets each have a security label thatmatches the security level.
 8. The computer implemented method of claim7, wherein sending packets further comprises: setting a strict sourceroute option on each packet.
 9. The computer implemented method of claim7, wherein building further comprises: determining whether thedestination host is described in a secure route cache at the trustedhost; and responsive to a determination that the destination host is inthe secure route cache, forming the secure route based on the secureroute cache.
 10. The computer implemented method of claim 7, whereinbuilding further comprises: determining whether the destination host isdescribed in a secure route cache; responsive to a determination thatthe destination host is not in the secure route cache, transmitting thesecure route query to a secure route discovery host; receiving a secureroute discovery node response; determining whether the secure routediscovery node response is non-empty; and responsive to a determinationthat the secure route discovery node response is non-empty, storing atleast one secure route of the secure route discovery node response tothe secure route cache based on the secure route discovery noderesponse.
 11. The computer implemented method of claim 10, furthercomprises: setting a cache time for the at least one secure route. 12.The computer implemented method of claim 11, further comprising:determining a cache time expiration with respect to at least one secureroute; and responsive to a determination that the cache time hasexpired, deleting the at least one secure route from the secure routecache.
 13. The computer implemented method of claim 10, furthercomprising: responsive to receiving a secure route discovery noderesponse, caching the at least one secure route in the secure routecache response for a tunable cache time.
 14. A computer implementedmethod to direct at least one secure router, the method comprising:receiving a secure route query from a trusted host, the secure routequery comprising a trusted host address, a destination host address anda one classification level; looking up at least one path having asendpoints, a trusted host and a destination host; and responsive tofinding a path, transmitting a secure route discovery node response. 15.The computer implemented method of claim 14, wherein looking up at leastone path further comprises: finding a network segment having oneendpoint selected from the group consisting of trusted host anddestination host, the network segment having a clearance level at leastas high as the one classification level such that the network segmentand at least one additional network segments interconnect trusted hostand destination host, wherein the each additional network segment hasendpoints each having a clearance level at least as high as the oneclassification level.
 16. The computer implemented method of claim 14,wherein looking up the at least one path further comprises: locatingonly one or more inadequate paths to interconnect trusted host anddestination host via secure routers having clearance levels at or abovethe classification level; and responsive to locating only one or moreinadequate paths, transmitting the secure route discovery node responseas a packet to the trusted host, the packet having an empty string. 17.The computer implemented method of claim 14, further comprising:receiving a multicast packet having a secure router and a clearancelevel associated with the secure router; and building a secure routesdatabase having at least one network segment having the secure router asan endpoint, wherein the at least one network segment is associated witha clearance level at or below the clearance level associated with thesecure route discovery node, wherein the looking up is with reference tothe secure routes database.
 18. A computer program product for obtaininga secure route, the computer program product comprising: a computerusable medium having computer usable program code embodied therewith,the computer program product comprising: computer usable program codeconfigured to set a node security association for a trusted host;computer usable program code configured to receive, at the trusted host,a client communication request directed to a destination host; computerusable program code configured to build a secure route query comprisinga trusted host address, a destination host address, and at least onesecurity level, to form at least one secure route; and computer usableprogram code configured to send packets from the trusted host to thedestination host based on the at least one secure route, wherein thepackets are responsive to the client communication request, and thepackets each have a security label that matches the security level. 19.The computer program product of claim 18, wherein sending packetsfurther comprises: computer usable program code configured to set astrict source route option on each packet.
 20. The computer programproduct of claim 18, wherein building further comprises: computer usableprogram code configured to determine whether the destination host isdescribed in a secure route cache at the trusted host; and computerusable program code configured to form the secure route based on thesecure route cache, responsive to a determination that the destinationhost is in the secure route cache.
 21. The computer program product ofclaim 18, wherein building further comprises: computer usable programcode configured to determine whether the destination host is describedin a secure route cache; computer usable program code configured totransmit the secure route query to a secure route discovery hostresponsive to a determination that the destination host is not in thesecure route; computer usable program code configured to receive asecure route discovery node response; computer usable program codeconfigured to determine whether the secure route discovery node responseis non-empty; and computer usable program code configured to store atleast one secure route of the secure route discovery node response tothe secure route cache based on the secure route discovery noderesponse, responsive to a determination that the secure route discoverynode response is non-empty.
 22. The computer program product of claim21, further comprising: computer usable program code configured to set acache time for the at least one secure route.
 23. The computer programproduct of claim 22, further comprising: computer usable program codeconfigured to determine a cache time expiration with respect to at leastone secure route; and computer usable program code configured to deletethe at least one secure route from the secure route cache, responsive toa determination that the cache time has expired.
 24. The computerprogram product of claim 21, further comprising: computer usable programcode configured to cache the at least one secure route in the secureroute cache response for a tunable cache time, responsive to receiving asecure route discovery node response.